General Data Protection Regulation (GDPR) came into effect in 2018 with the intention of ensuring maximum data privacy and protection in the EU and EEA areas. Organizations hence appropriately adopted security, access control and data segregation measures to fulfill GDPR requirements. This law protects all digital data from credit card information to social media posts to IP addresses.
The importance and impact of GDPR is undeniable, with severe penalties in case of a breach. The GDPR fine can go up to €20 million or 4% of the organization’s global annual revenue (whichever is higher in value). Between January 2020 and January 2021, fines equaling €158.5 million have been imposed on organizations that have breached GDPR in some form.
At first glance, GDPR might seem like a looming giant that is impossible to conquer. However, breaking down its implementation into smaller parts makes it feel less intimidating. Today, our aim is to discuss the implications of a crucial part of GDPR, Article 32, which is linked to the security of personal data being processed. We will also discuss how data segregation and access control capabilities assist in meeting GDPR Article 32’s requirements.
GDPR Article 32: Security of Processing
GDPR Article 32 requires organizations to have technical and organizational security measures in place. The severity of these measures is based on different factors, including the degree of sensitivity of the personal data and the purpose for which it is being acquired.
Clause 1 (b) of Article 32 states regarding data processing systems user by organizations should have:
“The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.”
This point can be broken down and further understood as following:
Confidentiality – the surety that only authorized personnel are granted access to personal data
- Integrity – the surety that data cannot be altered accidentally or by unauthorized personnel
Availability – the data is available and protected for authorized personnel to access and view
Resilience – the processing system should be resilient to any breaches or attacks
Article 32 further expands on this in clause 2:
“In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”
Organizations should, hence, adopt processing systems that cater to these GDPR requirements by providing appropriate privacy measures through data segregation alongside access controls and identity management capabilities. There are enterprise content management solutions that keep all of these capabilities in mind to provide an ultimate secure solution. Let’s explore further how these features assist in meeting Article 32’s criteria:
How Data Segregation helps you comply with GDPR Article 32?
First and foremost, you should understand how data segregation capabilities help comply with GDPR conditions. Data segregation helps separate content into separate portals to set different access control for each type of content. Data segregation can also be done by distributing users themselves into different groups, for instance, departmental groups or project-wise groups.
Separate autonomous portals can be created with custom security policies and access controls. This is especially useful for an organization dealing with data or content with varying levels of risks. For example, a separate portal could exist for surveillance footage and a separate one for general HR training content.
Despite its importance, data segregation alone is not enough to meet GDPR Article 32 requirements. Other security measures, like role-based access controls, multi-factor authentication and SSO integrations, should work in tandem to proactively protect the data. For instance, through SSO-integration with your company’s ID directory, you can do group synchronization to utilize the already defined organizational units.
Role-Based Access Control
To comply with GDPR Article 32, role-based access controls work in combination with data segregation to prevent unauthorized access to personal data. Enterprise content management solutions like VIDIZMO will allow you to set different user roles based on individual employee’s position, authority or trust level. There are certain default roles available in VIDIZMO, and it is also possible to set custom roles if your organization has unique requirements.
Access management can be automated and sped up by utilizing these user roles to manage access controls. Access to certain data types can be assigned based on different user roles rather than each individual employee. In most cases, access is naturally assigned based on employees’ job position or trust level, so role-based access management is suitable in such cases. In other situations, project-specific or department-wise user groups or multiple autonomous portals can be created through data segregation capabilities to meet GDPR requirements for teams that are not confined to a certain user role.
Last but not the least, alongside data segregation and access control capabilities, your enterprise content management system must have an identity management system to ensure that only authorized and relevant users can access the data.
VIDIZMO supports single sign-on integration with multiple authentication providers:
- Directory services such as Azure Active Directory, AWS, etc.
- Identity Access Management (IAM) services such as Okta, OneLogin, etc.
- Third-party login services such as Facebook, Google, Office 365, etc.
According to Finanso.se, 56% of Europeans have experienced some form of fraud, with one-third of those having faced identity theft. It further proves how important identity management is for every organization, especially those processing sensitive information. This is exactly why following GDPR requirements is so crucial, not just to meet the compliance but also to avoid such identity theft to happen within your organization’s database.
Need a GDPR Solution with Seamless Data Segregation and Access Controls?
With GDPR’s “privacy-first culture” and the general public’s increasing awareness of the online world’s unprotected access to their personal data, it is becoming inevitable that organizations need to adopt appropriate security measures to appease their stakeholders quickly. Accordingly, the right tools should be opted for to protect the personal data processed by them.
Organizations are also increasingly producing a greater amount of digital content for:
- internal purposes, like recordings of online meetings and company town halls
- external purposes, like marketing content or product explainer videos
VIDIZMO is an enterprise video content management system for GDPR-compliant video streaming and management of digital content. VIDIZMO not only allows data segregation, role-based access controls and identity management, it also has many more features to cater to all GDPR requirements centrally. The following are a few more valuable features to fulfill other GDPR conditions:
- Audit logs are available to track all individual user activities as well as platform-wide activities
- Restricted sharing to individually share content with specific individuals through password-protection and limited availability
- End-to-content encryption
- Integration with video conferencing tools like Zoom and MS Teams to securely share recorded meetings that can also be auto-ingested in VIDIZMO for future playback as an on-demand video
- Custom security policy can be set with a custom retention policy, options to block IP or location, and much more.
Contact us today to discuss any further queries and book a free trial to experience these features firsthand!